CVE-2016-3171
Drupal arbitrary code execution
8.1
HIGH
CVSS 3.1
EPSS 8.2%
Description
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
How to fix CVE-2016-3171
To remediate CVE-2016-3171, upgrade the affected package to a fixed version below.
- Packagist/drupal/core—upgrade to 6.38 or later
- —upgrade to 6.38 or later
Is CVE-2016-3171 being exploited?
Moderate — EPSS is 8.2%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- >= 6.0, < 6.38
- >= 6.0, < 6.38
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |